Cybercrime , Fraud Management & Cybercrime
Darknet Disruption: 'Wall Street Market' Closed for BusinessSuspected Admins Arrested in Germany and Alleged Top Narcotics Vendors in US
Two of the world's most notorious darknet markets have been disrupted as part of coordinated, international law enforcement operations. The markets sold illegal narcotics, counterfeit currency, malware, stolen jewelry and more.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Authorities officially announced the takedowns of the Wall Street Market as well as the Silkkitie - aka Valhalla Marketplace - on Friday.
The Wall Street Market was formerly the world's second-largest illegal darknet market.
The German Federal Criminal Police - aka Bundeskriminalamt - shuttered Wall Street Market, backed by support from Europol, the EU's law enforcement intelligence agency, as well as Dutch National Police and U.S. government agencies, including the Drug Enforcement Administration, FBI, Internal Revenue Service, Homeland Security Investigations, U.S. Postal Inspection Service and Department of Justice.
German police have arrested three German nationals - aged 22, 29 and 31 - on April 23 and 24, on suspicion of being the administrators of Wall Street Market, after having monitored their activities since March. During house searches, police seized over €550,000 ($615,000) in cash as well as hundreds of thousands of dollars' worth of cryptocurrencies, plus vehicles, computers, storage devices and other evidence, and also confiscated a firearm from the 22-year-old's residence.
Two of the site's alleged top narcotics suppliers were also been arrested in Los Angeles.
Authorities say the site had 5,400 registered sellers and 1.15 million customers, who conducted transactions using bitcoin and monero cryptocurrencies, with between 2 and 6 percent of all sales going to the site's administrators as commission.
Georg Ungefuk, spokesman for the Frankfurt chief prosecutor's office as well as Germany's ZIT internet crime agency, said illegal drugs comprised about 60 to 70 percent of sales on Wall Street Market.
In what police say were simultaneous operations, Finnish Customs - aka Tulli - backed by French National Police took down the Silkkitie market.
"These two investigations show the importance of law enforcement cooperation at an international level and demonstrate that illegal activity on the dark web is not as anonymous as criminals may think," says Catherine De Bolle, Europol's executive director.
Sites on the dark web can only be reached by using the anonymizing Tor browser to load the .onion pages - "http://wallstyizjhkrvmj(.)onion/" in the case of Wall Street Market. Buyers and sellers on such sites use cryptocurrency to make their transactions tougher to trace (see: Era of the eBay-Like Underground Markets Is Ending).
The dual disruptions follow the takedown of the Russian-language xDedic forum in January, as well as the apparent takedown in March of Dream Market, the world's biggest darknet market. Later, however, that site's administrators claimed that they were in the process of shutting the site down on April 30.
"They are being picked off one by one," says Alan Woodward, a professor of computer science at the University of Surrey, via Twitter. "It takes time and a lot of dedicated effort but these criminals are finding it increasingly difficult to avoid the light being shone into dark corners of the web."
No More Valhalla
Europol says Finnish custom authorities recently shuttered Silkkitie by seizing the web server that was powering the Tor site, which has been operating since 2013, together with a substantial number of bitcoins.
"For several years, narcotics and other illicit goods have been sold via this marketplace. Silkkitie is one of the oldest and internationally best-known Tor trade sites," Europol says.
Screen grabs posted by Mikko Hypponen, chief research officer at Finnish security firm F-Secure, show the site's wares included drugs and weapons, among other goods.
Now that Silkkitie (Valhalla) has been officially shut down by the authorities, here's couple of pictures of the service (before and after). pic.twitter.com/3l8qdqBuxJ— @mikko (@mikko) May 3, 2019
After the shutdown, law enforcement agencies traced suspected users as they moved to other darknet sites. "After the Silkkitie (Valhalla) site was shut down by the authorities, some of the Finnish narcotics traders moved their activities to other illegal trade sites in the Tor network, such as Wall Street Market," Europol says, and they were subsequently arrested by German police.
Takedown Notice Appears
The Wall Street Market disruption was first spotted on Thursday by Vitali Kremez, a cybercrime researcher.
Indeed, John, tracking it as some #cybercriminals alleged before that the administrators exit-scammed and shut down the marketplace themselves. Now, we have the reason why it is down. Great job by BKA & LEA seizing and disrupting this major prolific darkweb marketplace.— Vitali Kremez (@VK_Intel) May 2, 2019
Vendors Cry 'Exit Scam'
Buyers and sellers also reported the disruption. "Nice greetings from BKA on the landing page," one user posted to the DeepDotWeb site.
As of April 17, Wall Street Market administrators reportedly had about $10 million worth of bitcoins in escrow. The same day, some vendors began reporting that they weren't being paid and suggested that the site administrators were "exit scamming," meaning stealing all of the bitcoins and deserting the site altogether.
Over the following few days, the administrators appeared to amass $3 million more worth of bitcoins without transferring any out of the site's wallets.
"They claim to have some 'technical issues' with their BTC [bitcoin] servers," one self-described vendor wrote in an April 19 forum post. "They have been saying that they are working on the issue for the last couple of days and that the missing BTC will be returned to the website. In the meantime they are making it look like nothing is going on and they are still running the website and having customers transfer BTC to the website. Those new BTCs are going to the same wallet as the BTC that got missing before."
Another user wrote on DeepDotWeb: "Wall street had so many rare strains of cannabis i couldnt find on cgmc or cannazon [other darknet markets]. They seriously had to scam everyone? Don't use WSM at all. Unless you want your money stolen."
By April 26, Wall Street Market claimed to be closed for redesign.
Researchers say many Dream Market users, after that market appeared to be experiencing disruptions, turned to Wall Street Market. That influx and the attendant law enforcement attention that it promised to bring, however, may have led the Wall Street Market administrators to begin planning their exit scam, as ZDNet has reported.
Buyers and Sellers Get Blackmailed
By April 20, an apparent "rogue" Wall Street Market administrator called "Med3l1n"began contacting buyers and sellers and threatening to give their plaintext address to Europol and the FBI unless they sent 0.05 bitcoin (about $290).
It's not clear if Med3l1n was part of the exit scam or was left out and trying to make some quick money.
The address referred to involved anyone who had shared their "plaintext address" via the Wall Street Market support system, and so appeared to mean email addresses.
So apparently WallStreet Market is threatening customers who sent addresses in cleartext. pic.twitter.com/vLMAPfiQIg— Caleb (@5auth) April 20, 2019
On April 24, cybercrime research Patrick Shortis reported that HugBunter, an admin on Dread - a darknet version of Reddit - had been taking steps to warn Wall Street Market users about the shakedown.
Dread Admin HugBunter has posted an update to the community outlining the attempts from rogue mod Med3l1n to extort users for bitcoin using unencrypted PGP addresses available through his site access. The update includes the steps Hug took to warn users and close WSM. pic.twitter.com/8IVxnoncPh— Patrick Shortis (@Patrick_Shortis) April 24, 2019
On Friday, Germany police said that the alleged Wall Street Market admins put the marketplace into maintenance mode on April 23, and began their exit scam, "transferring the customer's funds deposited in the marketplace to themselves.
Police say they conducted "extensive cyber operations" from April 23 until Thursday, which suggests that they were keeping a close eye on the darknet market buyers and sellers.
Europol Assembles 'Dark Web Team'
Europol says its efforts to disrupt these darknet markets continue. Europol has assembled a "dark web team" focused on disrupting crime on the dark web that comprises law enforcement agencies from EU member states as well as other third parties and partners, including Eurojust, the EU agency that deals with judicial cooperation in European criminal matters.
The dark web team shares information, provides operational support and also has been "developing tools, tactics and techniques to conduct dark web investigations; identifying threats and targets," Europol says.
One of those tactics, according to Steven Wilson, head of Europol's European Cybercrime Center, is to effect coordinated takedowns in a way that maximizes the intelligence that police can gather as well as the disruption for criminals.
"We were heavily involved in the takedowns of the AlphaBay and Hansa markets," Wilson said at a cybersecurity conference in Edinburgh, Scotland, in late March.
Those disruptions occurred in 2017. First, the AlphaBay darknet market went offline - later this was revealed to have been an FBI and DEA operation codenamed "Bayonet." After AlphaBay went dark, many users defected to rival markets, including Hansa. Unbeknownst to them, however, Dutch police had infiltrated Hansa and begun collecting intelligence on its users and sharing this with international police forces (see: One Simple Error Led to AlphaBay Admin's Downfall).
Wilson said Europol continues to pursue further darknet market cases "where we can destabilize this huge threat to the population."
In part, that involves watching for criminals' attempts to launder their proceeds and cash out (see: Behind the Beard Lurked a Darknet Drug Lord, DEA Alleges).
Fulfilling orders can also leave darknet vendors exposed (see: Glove Use Key to Arrest of Alleged Darknet Drug Trafficker).